diff --git a/elao.app/.manala/Makefile.tmpl b/elao.app/.manala/Makefile.tmpl index 1bd3d2f0..4e02c6cf 100644 --- a/elao.app/.manala/Makefile.tmpl +++ b/elao.app/.manala/Makefile.tmpl @@ -110,6 +110,25 @@ docker: endif +######### +# Vault # +######### + +include $(_ROOT_DIR)/.manala/make/vault.mk + +ifdef VAULT_ADDR +HELP += $(call help_section, Vault) + +HELP += $(call help,vault.login,Vault login) +vault.login: + $(call vault_login) + +else +vault.login: + $(call message_warning, \"VAULT_ADDR\" environment variable has not been set) + +endif + {{ if .Vars.releases -}} ############ # Releases # diff --git a/elao.app/.manala/ansible/inventories/system.yaml.tmpl b/elao.app/.manala/ansible/inventories/system.yaml.tmpl index 4dfba006..69f71444 100644 --- a/elao.app/.manala/ansible/inventories/system.yaml.tmpl +++ b/elao.app/.manala/ansible/inventories/system.yaml.tmpl @@ -496,4 +496,7 @@ system: {{- .docker.containers | toYaml | nindent 10 }} {{- end }} + # Vault Cli + manala_vault_cli_enabled: true + {{- end }} diff --git a/elao.app/.manala/ansible/roles/system/defaults/main.yaml b/elao.app/.manala/ansible/roles/system/defaults/main.yaml index bed58369..b89934c2 100644 --- a/elao.app/.manala/ansible/roles/system/defaults/main.yaml +++ b/elao.app/.manala/ansible/roles/system/defaults/main.yaml @@ -30,3 +30,4 @@ manala_elasticsearch_enabled: false manala_influxdb_enabled: false manala_docker_enabled: false manala_gomplate_enabled: false +manala_vault_cli_enabled: false diff --git a/elao.app/.manala/ansible/roles/system/tasks/main.yaml b/elao.app/.manala/ansible/roles/system/tasks/main.yaml index 2c47cc04..e5ec1551 100644 --- a/elao.app/.manala/ansible/roles/system/tasks/main.yaml +++ b/elao.app/.manala/ansible/roles/system/tasks/main.yaml @@ -179,3 +179,9 @@ name: gomplate when: manala_gomplate_enabled tags: [gomplate] + +# Vault Cli +- import_role: + name: vault_cli + when: manala_vault_cli_enabled + tags: [vault] diff --git a/elao.app/.manala/make/vault.mk b/elao.app/.manala/make/vault.mk new file mode 100644 index 00000000..2e1034de --- /dev/null +++ b/elao.app/.manala/make/vault.mk @@ -0,0 +1,9 @@ +######### +# Vault # +######### + +define vault_login + $(call message, Vault login) + read -p "Username: " USERNAME; \ + vault login -method=userpass username=$${USERNAME} +endef diff --git a/elao.app/README.md b/elao.app/README.md index 845cf603..aa45c3aa 100644 --- a/elao.app/README.md +++ b/elao.app/README.md @@ -537,16 +537,20 @@ test.phpunit@integration: In order to deploy secrets, you can use [Gomplate](https://docs.gomplate.ca), called by a make task. Gomplate takes a template, queries its values from a Vault server and renders a file. -Add the following task in the `Makefile`: +Add the following tasks in the `Makefile`: ``` ########### # Secrets # ########### -secrets/%: _secrets - gomplate --config=secrets/$(*) -_secrets: +secrets@production: + gomplate --config=secrets/env.production.yml + gomplate --config=secrets/parameters.production.yml + +secrets@staging: + gomplate --config=secrets/env.staging.yml + gomplate --config=secrets/parameters.staging.yml ``` Put templates in a `secrets` directory at the root of the project. @@ -557,21 +561,17 @@ Here is an example of template: %YAML 1.1 --- -datasources: - vault: - url: vault+https://my-vault-server.com - outputFiles: - /path/to/rendered/file in: | Loop on all values of the secret: - {{ range $key, $value := (datasource "vault" "MyApp/data/env").data -}} + {{ range $key, $value := (datasource "vault:///MyApp/data/env").data -}} {{ $key }} = {{ $value | quote }} {{ end -}} Query only one value of the secret: - {{ (datasource "vault" "MyApp/data/env").data.value1 -}} + {{ (datasource "vault:///MyApp/data/env").data.value1 -}} ``` /!\ Note that the path to the secret will slightly differ from what the Vault server will display \ @@ -579,10 +579,12 @@ in: | Gomplate uses [Go Template syntax](https://docs.gomplate.ca/syntax/) -To render the file, call the template with the `make secrets/%` task, where `%` is the name of the template. +In order to use secrets in development or integration environment, a `VAULT_ADDR` environment variable must be set, +defining the Vault server address expressed as an URL, for example: `https://127.0.0.1:8200` +Login to the vaut server using: -```shell -make secrets/.env.prod +``` +$ make vault.login ``` ## Tips, Tricks, and Tweaks